Chapter 5 Post Scriptum: Colorwheels

While some of the shoulder-surfing resistant schemes described in section section 5.2 can be adapted for use in the gamepad context, none of them were specifically developed for this context. As part of the work underlying this chapter (i.e. [138]) a novel password entry scheme called Colorwheels was developed based on the results described in this chapter. WhileColorwheels explicitly is not a contribution of this thesis, an understanding of this scheme is required for the next chapter. Therefore, Colorwheels is described in the remainder of this section as post scriptum to this chapter.

Colorwheels is specifically designed for shoulder-surfing resistant input of text passwords using gamepads. The general design of the scheme is based on pie menu structures [42], similar to the Daisy Wheel scheme described in section 5.2. Its interface consists of two pie menu “flowers” with eight petals each. These overall 16 petals contain all possible characters (i.e. uppercase and lowercase letters, numbers, and special characters) for the password entry. This design is depicted in figure 5.20. Colorwheels is designed specifically for text entry with a gamepad, thus meeting requirements R4 and R5. Due to the two flowers,Colorwheels’s operation necessitates the availability of two analogue sticks on the gamepad. Each stick is used to select petals in one of the flowers: the left stick to select petals in the left flower and the right stick to select petals in the right flower. Each petal holds either 6 or 5 characters, allowing the placement of all 94 printable ASCII-characters on the petals of the two flowers.

The entry of each password character is performed with the following four-step procedure (see figure 5.21): (1) The characters appear randomly distributed on the petals of the two flowers and the user locates the petal with the desired character. (2) Once the user locates the petal with the desired character, they press the ×-button to confirm that they have found it. Upon pressing the button, all the characters vanish from the petals. (3) Then the user selects the petal. Each flower corresponds input-wise to one of the two analogue sticks. To select a petal in the left or right flower, the left or right analogue stick have to be used respectively. Since there are only eight different positions for each analogue stick, the scheme meets R3. The current input is reflected by a light change in colour of the selected petal (visible in figure 5.21 in step 3 where the upper petal on the right flower is selected). (4) The user confirms the selection of the petal using any of the shoulder buttons. Upon pressing the button to confirm the selection, a new random distribution of characters appears on the petals and the procedure begins anew for the next character.

Colorwheels belongs to the category of authentication schemes obfuscating the users’ inputs (see sec- tion 2.3.1). To obtain the password, a shoulder-surfing attacker would have to memorise the random distri- bution of all characters in the time the user locates the petal with the character they want to enter. The basic assumption underlying the shoulder-surfing resistance is that this task is cognitively demanding enough

(left petal) (right petal) Selection in all directions

Confirm Selection Confirm Selection Confirm Selection End Input

5.5 Chapter 5 Post Scriptum: Colorwheels

Step 3

User selects the petal located in step 1 using the analogue sticks (here: top in right flower). A change to a subtly lighter color gives feedback.

Step 1

Characters appear in a random distribution on the petals. User locates petal on which the character

they want to enter is.

Step 2

User confirms that they have found the petal and upon pressing the ⨉-button all characters vanish

from the petals.

Step 4

Upon confirming the selection of the petal a new random distribution of characters appears on the

petals.

Figure 5.21: The password entry procedure of Colorwheels.

to protect against opportunistic shoulder surfing, i.e. meeting requirement R1. However, this opportunistic shoulder-surfing property must still be validated in an empirical evaluation.

At any time during the procedure, the scheme requires less than two concurrent controls on the front and less than the number of overall available buttons, meeting requirements R2 and R6. Using the -button, the last entered character can be deleted, allowing for easy recovery from errors.

6

Empirical Evaluation of Three Authentication

Schemes in the Gamepad Context

From the last chapter, i.e. the assessment of the schemes currently deployed in the gamepad context (sec- tion 5.2.1) as well as the proposals in the literature for non-gamepad contexts (section 5.2.2), it became apparent that an empirical evaluation to determine a baseline in terms of usability as well as shoulder- surfing resistance is needed to gauge the real-world resistance to opportunistic shoulder-surfing of schemes already deployed in the gamepad context. Of most interest is the incumbent scheme, i.e. the on-screen keyboard. An empirical evaluation also allows to compare this baseline of the incumbent scheme to alterna- tives from the literature as well as schemes tailored-specifically to the gamepad context. Such a comparative empirical evaluation will indicate where trade-offs among the evaluated schemes exist, which possible alter- natives to the incumbent scheme are better suited to be used in the gamepad context, and which design directions might be worth to follow.

Therefore, this chapter presents a comparative evaluation of three schemes discussed in the previous chapter: (a) the on-screen keyboard (section 5.2.1) as incumbent and de facto standard in the gamepad context in order to determine a baseline, (b) the grid-based scheme (section 5.2.2) as proposal from the literature, which was found in the discussion of the results in the last chapter (section 5.3.1) to be the scheme from the literature most suitable for an empirical evaluation, and (c) the Colorwheels scheme (section 5.5) as proposal designed specifically for password entry with gamepads. To that end, two user studies – one online study and one lab study – were conducted to comparatively evaluate the three schemes’ resistance to opportunistic shoulder-surfing and their usability as determined by the metrics effectiveness, efficiency, and satisfaction of ISO 9241-11:2018-03 [108]. Conducting both, an online study and a lab study, allows harnessing the advantages of both study settings. Both studies are based on the same methodology (section 6.1). The procedures of the online study (section 6.2) and the lab study (section 6.3) differ slightly: while both studies empirically evaluate the opportunistic shoulder-surfing resistance, only the lab study evaluates the usability metrics. To assess the shoulder-surfing resistance, participants were asked to recover a password by observing video recordings of its entry. To assess the usability, participants used the three schemes themselves and their performance with respect to the metrics efficiency, effectiveness and satisfaction were measured.

From the discussion (section 6.4) it becomes apparent that the results of the two studies confirm how little protection even against opportunistic shoulder-surfing the commonly used on-screen keyboard provides: It is significantly more susceptible to shoulder-surfing than the other two schemes in both studies. Both other schemes fare better, but theColorwheels scheme seems to exhibit a more robust shoulder-surfing resistance. Usability-wise, the on-screen keyboard fares best. It performs significantly better in terms of efficiency and satisfaction than the other two schemes as well as significantly better in terms of effectiveness than Colorwheels. Colorwheels scores significantly better in terms of efficiency and satisfaction than the grid- based scheme and is rated highest by the participants in terms of intention to use the scheme in the future. This indicates that there currently exists a clear trade-off between usability and shoulder-surfing resistance, but that users are willing make this trade-off in the context of text password entry on gamepads in order to better protect themselves from shoulder-surfing. Section 6.5 concludes this chapter.

6 Evaluation of Three Authentication Schemes in the Gamepad Context

Contributions described in this chapter:

• A baseline in terms of usability and shoulder-surfing resistance is established for the on-screen keyboard (as incumbent and de-facto standard in the gamepad context) by conducting two user studies – an online study and a lab study – using similar methodologies.

• The viability of alternatives to the on-screen keyboard is assessed, by evaluating two additional schemes in the same study settings:

1. The grid-based scheme, which is a shoulder-surfing resistant authentication scheme proposed in the literature and identified as most viable candidate adaptable to the gamepad context.

2. The novel Colowheels scheme (section 5.5) which was specifically designed for the gamepad context.

Parts of the results described in this chapter have been published in:

• P. Mayer, N. Gerber, B. Reinheimer, P. Rack, K. Braun, and M. Volkamer, “I (don’t) see what you typed there! Shoulder-surfing resistant password entry on gamepads”, Conference on Human Factors in Computing Systems (CHI), 2019.